Cc quy trnh chun kim tra mt ng dng website

Kin thc c bnWeb SecuritySeptember 10, 2014 3:10 pmhttp://securitydaily.net/cac-quy-trinh-chuan-kiem-tra-mot-ung-dung-website/Penetration testing l qu trnh kim th bo mt cho cc ng dng web bng cch gi lp cc cuc tn cng vo website tm kim v pht hin cc l hng, cc vn bo mt trongwebsite.Nhng ngikim th s ng vai tr l cc hacker v gi lp cc tn cng vocc trang web mc tiu.Di y l cc tiu chun nhm h tr cc nh kim th bo mt kim th cho cc trang web.

OWASP (D n bo mt ng dng web m)

T chc phng th cc thit b mng khng ch gip ngn chn m c xm nhp vo mng bng cch khai thc thng tin v l hng, m cn gip ch ng ngn cn nhng truy cp tri php v khng ph hp vo h thng. Tuy nhin, iu ny khng gip cc ng dng web trnh khi cc cuc tn cng, tin tc c th tn cng vo ng dng trc khi thc hin tn cng vo h thng. Do vy, cn c phng php kim tra, nh gi cc nguy c bo mt c bn trn ng dng. OWASP c thc hin vi mc tiu . y l d n c pht trin bi cng ng m nhm nng cao nhn thc v bo mt ng dng trong cc t chc.

OWASP cung cp nhiu ti liu hng dn v cc lnh vc khc nhau trong vic bo mt ng dng:

Cc vn v bo mt ng dng (Application Security Desk Reference): Ti liu ny cung cp cc nh ngha v m t v tt c cc khi nim quan trng, cc loi li, l hng, cc phng php tn cng, phng php kim tra, cc tc ng k thut v tc ng kinh doanh trong bo mt ng dng. y l ti liu tham chiu cho tt c cc ti liu hng dn khc ca OWASP.

Hng dn Pht trin (Developers Guide): Ti liu ny bao gm tt c cc yu t bo mt m ngi pht trin ng dng cn quan tm. Trong ti liu cung cp hng trm loi l hng phn mm, c th c s dng nh mt sch hng dn mnh m v kim sot bo mt.

Hng dn Kim tra (Testing Guide): L ti liu cung cp v cc quy trnh v cng c kim tra bo mt ng dng. Cch s dng ti liu tt nht l p dng vo vic kim tra im yu bo mt ca mt ng dng hon thin.

Hng dn Kim tra m ngun (Code Review Guide): Kim tra ng dng bng cch xem m ngun s h tr phng trnh cho ng dng khi cc tc ng bn cnh vic kim tra t bn ngoi. Ngi kim tra c th ch ng la chn cch thc tip cn vi ng dng ph hp nht.

Ngoi ra, cng ng OWASP cng gii thiu ti liu OWASP Top 10. y l mt d n tp trung vo phn loi 10 ri ro bo mt ng dng ph bin nht trong mi quan h vi cc tc ng k thut v kinh doanh, ng thi cung cp cc hng dn c th v cch thc kim tra, xc minh v khc phc nhng im yu bo mt d gp phi ca ng dng. OWASP Top 10 ch yu tp trung gii quyt vn v cc nguy c ph bin hn l vic bo mt trn mt ng dng web hon thin. Ton b ni dung trong OWASP Top 10 c ng ti ti a ch:www.owasp.org/index.php/Top10u im ca phng php OWASP Khuyn khch cc nh pht trin thc hnh m ha an ton bng cch tch hp kim tra an ninh tng giai on pht trin. iu ny s gip cho cc ng dng trong qu trnh pht trin trnh c cc li v an ton hn.

Ti liu Hng dn Kim tra ca OWASP cung cp chi tit v cc k thut nh gi, cung cp mt ci nhn rng hn vo nhiu nn tng cng ngh gip ngi kim tra la chn cch thc ph hp nht tin hnh kim tra.

Ti liu OWASP Top 10 cung cp cc hng dn k thut gip chng li cc cuc tn cng v im yu bo mt ph bin nht v duy tr tnh bo mt (Confidentiality), tnh ton vn (Integrity) v tnh sn sng (Availability) ca ng dng (CIA).

Cng ng OWASP cng pht trin mt s cng c bo mt v hng dn s dng tp trung vo kim tra ng dng web mt cch t ng. Mt vi cng c nh: WebScarab, Wapiti, JBroFuzz v SQLiX. Cc cng c ny cng c ci t sn trong h iu hnh BackTrack.

Quy trnh OSSTMM (Phng php kim tra an ninh m ngun m th cng)

OSSTMM (www.isecom.org/osstmm/) l mt tiu chun quc t c cng nhn kim tra v phn tch bo mt v ang c s dng bi nhiu t chc. C nhng cch thc khc nhau thc hin kim tra bo mt theo phng php OSSTMM nh sau:

Blind: Kim th Blindkhng yu cu phi bit cc thng tin v h thng mc tiu trc . Tuy nhin, mc tiu ny c thng bo trc khi bt u tin hnh kim th. Tn cng c o c hoc kim th game l nhng v d v kim th m. Loi kim th ny cng c chp nhn rng ri bi mc ch o c ca n trong vic thng bo trc mc tiu.

Double blind: Trong kim th Double blind, ngi kim tra khng cn bit bt k thng tin no v h thng mc tiu v mc tiu cng khng c thng bo trc khi tin hnh kim tra. Kim th hp en v kim th thm nhp l nhng v d ca kim th cp m. Vi loi kim th ny, ngi kim tra gp mt thch thc ln trong vic la chn loi cng c v k thut tt nht gii quyt c yu cu kim tra.

Gray box (hp xm): Trong kim th hp xm, ngi kim tra bit trc mt vi thng tin v h thng mc tiu v mc tiu c thng bo trc khi kim tra c thc hin. nh gi l hng (vulneralbility) l mt trong nhng v d c bn ca kim th hp xm.

Double gray box (cp hp xm): Kim th cp hp xm tng t nh kim th hp xm, tr vic xc nh khung thi gian cho mt ln kim tra v khng thc hin kim tra channel v vector. Kim th hp trng l mt v d v kim tra cp hp xm.

Tandem (song song): Trong kim th song song, ngi kim tra c cc kin thc ti thiu nh gi v h thng mc tiu v mc tiu cng c thng bo trc khi kim tra c thc hin. Cc kim th song song (hay cp trc sau) c thc hin trit . Kim th hp thy tinh (crytal box) v kim ton (in-house audit) l v d ca kim th song song.

Reversal (o ngc): Trong kim th o ngc, ngi kim tra bit trc y kin thc v h thng mc tiu v mc tiu khng c bit khi no kim th c tin hnh. Kim th m (red-teaming) l mt v d ca kim th o ngc.

u im ca phng php OSSTMM OSSTMM lm gim ng k s xut hin ca cnh bo nhm (false positive) v b qua nhm (false negative) v cung cp php o chnh xc i vi bo mt.

Phng php ny thch nghi vi nhiu loi kim tra bo mt nh kim th thm nhp, kim th hp trng, nh gi l hng,

m bo rng nh gi c thc hin trit v kt qu c tng hp mt cch ph hp, c nh lng v ng tin cy.

Cc phng php ny tun theo mt qu trnh bn bc gm: bc nh ngha, bc thng tin, bc php l, v bc tin hnh kim th. Mi bc gm thu thp, nh gi v xc minh cc thng tin lin quan n mi trng mc tiu.

S liu ca o bo mt c c bng cch s dng phng php RAV (Risk Assessment Values Gi tr nh gi ri ro). RAV tnh ton gi tr bo mt thc t da trn hot ng an ninh, kim sot s mt mt v nhng gii hn. S im RAV th hin trng thi an ninh hin ti ca mc tiu.

Cc bo co c th hin di nh dng STAR (Security Test Audit Report Bo co kim tra bo mt) thun li cho vic qun l cng nh xem xt ca i ng k thut, cc gi tr nh gi ri ro (RAV) v u ra t mi giai on kim tra.

Phng php ny thng xuyn c cp nht vi cc xu hng mi ca kim tra bo mt, quy nh v mi quan tm v o c.

Cc bc ca OSSTMM c th d dng phi hp vi cc quy nh ca ngnh cng nghip, chnh sch kinh doanh v php lut ca chnh ph. Ngoi ra, mt chng nhn kim th cng c th hi iu kin c cng nhn trc tip t ISECOM (Institute for Security and Open Methodologies Vin An ninh v cc phng php m).

ISSAF (Chun nh gi an ninh h thng thng tin)

ISSAF (www.oissg.org/issaf) l mt chun phn tch v kim tra an ninh m ngun m. ISSAF tin hnh cc nh gi bo mt theo mt th t hp l. Mi nh gi ny c thc hin trn cc thnh phn khc nhau ca h thng. Bng cch tin hnh theo mt vng khp kn, ISSAF c th cung cp chnh xc, y , v hiu qu yu cu kim nh an ninh ca t chc. ISSAF c pht trin tp trung vo hai lnh vc kim tra an ninh, k thut v qun l. Mt k thut thit lp cc quy tc v th tc ct li to ra mt qu trnh nh gi y v bo mt, trong khi mt qun l hon thnh cc bc ca qu trnh qun l v nhng cng vic nn c thc hin trong giai on kim tra. Phng php nh gi ISSAF bao gm cc giai on: lp k hoch, nh gi, x l, cp php v bo tr. Mi giai on c tin hnh hiu qu v linh hot ty theo iu kin c th. Kt qu cui cng l s kt hp ca cc hot ng nghip v, cc gii php an ninh v mt danh sch y cc l hng c th tn ti trong mi trng c kim tra.

ISSAF bao gm mt tp hp phong ph cc quy trnh v k thut nh gi khc nhau v thng xuyn c cp nht. Ngi kim tra c th thm vo cc cng c bo mt, cc phng php, th tc, b sung cho quy trnh nh gi an ninh. Cng c th kt hp vi phng php OSSTMM hoc bt k phng php kim tra no khc nhm pht huy u im ca mi phng php.

u im ca phng php ISSAF L phng php hu ch trong vic m bo an ninh cho h thng bng cch thc hin cc kim tra l hng h thng.

Ch ra nhng thnh phn quan trng trong nh gi an ninh thng tin nh: nh gi ri ro, qun l kinh doanh, t chc nh gi, tin trnh qun l, pht trin chnh sch bo mt v cc thc hnh hu ch.

Ton b tin trnh nh gi ISSAF bao gm cc hot ng qun l, nh gi bo mt vt l, phng php th nghim thm nhp, qun l s c, qun l thay i, qun l kinh doanh lin tc, nhn thc v an ninh, tun th php lut v quy nh.

Phng php kin th xm nhp ISSAF kim tra an ninh ca c thnh phn mng, h thng hoc ng dng. Phng php ny tp trung vo nhng cng ngh c th nh thit b nh tuyn (router), chuyn mch (switch), tng la, h thng pht hin v phng th xm nhp, mng ring o, my ch ng dng web, c s d liu,

Thu hp khong cch gia k thut v qun l kim tra bo mt bng cch thc hin cc tc ng cn thit c hai lnh vc.

Gip ngi qun l hiu v nhng ri ro bo mt v cc l hng c th nh hng n hot ng ca t chc.

WASC-TC (Phn loi nguy c trong bo mt ng dng web)

WASC-TC l mt tiu chun m nh gi s an ton ca cc ng dng web. Tng t nh tiu chun OWASP, WASC-TC cng c phn loi thnh cc phng php tn cng v im yu bo mt, nhng i vo phn tch mt cch su sc hn. Cc tiu chun tng th c trnh by trong ba quan im khc nhau gip cc nh pht trin v ngi kim tra bo mt c c nhng hiu bit cn thit v mi e da bo mt ng dng web.

Quan im Lit k (Enumeration): Quan im ny cung cp ci nhn c bn v tn cng ng dng web v im yu bo mt. Mi cuc tn cng v im yu bo mt c trnh by vi nh ngha ngn gn, phn loi v nhiu v d khc nhau. C tng cng 49 cuc tn cng v im yu i chiu vi s th t trong WASC-ID (1-49).

Quan im Pht trin (Development): Quan im ny gip nh pht trin c c ci nhn ton din v cc cuc tn cng v im yu bo mt c th xy ra trong cc giai on pht trin: thit k, thc hin hoc trin khai. Cc l hng thit k xut hin khi ng dng khng thc hin cc yu cu bo mt giai on thu thp ban u. Cc l hng thc hin xy ra do nguyn tc m ha v thc hnh m ha khng an ton. V cc l hng trin khai l kt qu ca vic cu hnh sai ng dng, my ch web v cc h thng bn ngoi khc. Nh vy, di quan im pht trin, kt hp cc yu t ny trong mt vng i pht trin lin tc l thc hnh tt nht m bo an ninh cho ng dng.

Quan im Tham chiu cho (Taxonomy Cross Reference): cp n quan im tham kho cho nhiu tiu chun bo mt ng dng web gip ngi kim tra v cc nh pht trin trnh by cc thut ng theo mt chun ph hp. Tuy nhin, mi tiu chun vn c nhng tiu ch ring nh gi ng dng t cc gc khc nhau v cc bin php o lng ri ro ring. Cc phng php tn cng v im yu bo mt trong WASC-TC c trnh by tham chiu vi OWASP Top 10, CWE (Mitres Common Weakness Enumeration), CAPEC (Mitres Common Attack Pattern Enumeration and Classification) v SANS-CWE Top 25 List.

u im ca phng php WASC-TC Cung cp kin thc chuyn su nh gi mi trng ng dng web nhm chng li cc cuc tn cng v im yu ph bin nht.

Cc cuc tn cng v im yu c trnh by bi WASC-TC c th c s dng kim tra mi nn tng ng dng web bng cch kt hp vi cc cng c trong h iu hnh BackTrack.

Tiu chun ny cung cp ba quan im khc nhau, c th l lit k, pht trin v tham chiu cho. Quan im Lit k cung cp khi nim c bn cho tt c cc cuc tn cng v im yu c tm thy trong cc ng dng web. Quan im Pht trin kt hp cc nh ngha tn cng v im yu bo mt thnh cc khi nim v l hng v sp xp theo s xut hin trong tng giai on pht trin c th: thit k, thc hin hoc trin khai. Quan im tham chiu cho gip WASC-TC tham kho v tng thch vi nhng chun bo mt ng dng khc.

WASC-TC c chp nhn mc cng nghip v tnh hi nhp ny c th hin trong cc m ngun m v cc gii php thng mi, ch yu l nh gi l hng bo mt v cc sn phm qun l